Chloe ChamberlandWORDFENCE:477486AF3FDEA692276EB2A5EBC0F785Wordfence Intelligence Weekly WordPress Vulnerability Report (June 5, 2023 to June 11, 2023)
EPSS
Percentile
82.8%
Last week, there were 45 vulnerabilities disclosed in 30 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 17 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
_Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. _
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
- Abandoned Cart Lite for WooCommerce <= 5.14.2 - Authentication Bypass
- WAF-RULE-607 - title redacted while we work with the developer to ensure this gets patched.
- WAF-RULE-608 - title redacted while we work with the developer to ensure this gets patched.
- WAF-RULE-609 - title redacted while we work with the developer to ensure this gets patched.
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
| Patch Status | Number of Vulnerabilities |
|---|---|
| Unpatched | 5 |
| Patched | 40 |
Total Vulnerabilities by CVSS Severity Last Week
| Severity Rating | Number of Vulnerabilities |
|---|---|
| Low Severity | 0 |
| Medium Severity | 34 |
| High Severity | 10 |
| Critical Severity | 1 |
Total Vulnerabilities by CWE Type Last Week
| Vulnerability Type by CWE | Number of Vulnerabilities |
|---|---|
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 18 |
| Authorization Bypass Through User-Controlled Key | 5 |
| Missing Authorization | 5 |
| Cross-Site Request Forgery (CSRF) | 5 |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | 5 |
| Deserialization of Untrusted Data | 1 |
| Information Exposure | 1 |
| Unrestricted Upload of File with Dangerous Type | 1 |
| Authentication Bypass Using an Alternate Path or Channel | 1 |
| Improper Authorization | 1 |
| Improper Neutralization of Formula Elements in a CSV File | 1 |
| Server-Side Request Forgery (SSRF) | 1 |
Researchers That Contributed to WordPress Security Last Week
| Researcher Name | Number of Vulnerabilities |
|---|---|
| Ramuel Gall | |
| (Wordfence Vulnerability Researcher) | 12 |
| Alex Thomas | |
| (Wordfence Vulnerability Researcher) | 7 |
| Erwan LR | 4 |
| Ilyase Dehy | 2 |
| Chien Vuong | 2 |
| Taurus Omar | 2 |
| Le Ngoc Anh | 1 |
| Juampa Rodríguez | 1 |
| Aymane Mazguiti | 1 |
| Mohamed Selim | 1 |
| Lana Codes | |
| (Wordfence Vulnerability Researcher) | 1 |
| Etan Imanol Castro Aldrete | 1 |
| Ivan Kuzymchak | |
| (Wordfence Vulnerability Researcher) | 1 |
| Marco Wotschka | |
| (Wordfence Vulnerability Researcher) | 1 |
| NGO VAN TU | 1 |
| Shreya Pohekar | 1 |
| iohex | 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| Aajoda Testimonials | aajoda-testimonials |
| Abandoned Cart Lite for WooCommerce | woocommerce-abandoned-cart |
| Catalyst Connect Zoho CRM Client Portal | catalyst-connect-client-portal |
| CodeColorer | codecolorer |
| Dokan – Best WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy | dokan-lite |
| Download Monitor | download-monitor |
| Easy Digital Downloads – Simple eCommerce for Selling Digital Files | easy-digital-downloads |
| Editorial Calendar | editorial-calendar |
| Elementor Addons, Widgets and Enhancements – Stax | stax-addons-for-elementor |
| FiboSearch – Ajax Search for WooCommerce | ajax-search-for-woocommerce |
| FormCraft – Contact Form Builder for WordPress | formcraft-form-builder |
| GD Mail Queue | gd-mail-queue |
| Getwid – Gutenberg Blocks | getwid |
| Gravity Forms Google Sheet Connector | gsheetconnector-gravity-forms |
| KiviCare – Clinic & Patient Management System (EHR) | kivicare-clinic-management-system |
| Lana Email Logger | lana-email-logger |
| Mail logging – WP Mail Catcher | wp-mail-catcher |
| Metform Elementor Contact Form Builder – Flexible and Design-Friendly Contact Form builder plugin for WordPress | metform |
| PowerPress Podcasting plugin by Blubrry | powerpress |
| Responsive CSS EDITOR | responsive-css-editor |
| Shopping Cart & eCommerce Store | wp-easycart |
| Social Media Share Buttons & Social Sharing Icons | ultimate-social-media-icons |
| Ultimate Addons for Contact Form 7 | ultimate-addons-for-contact-form-7 |
| Ultimate Product Catalog | ultimate-product-catalogue |
| Visitor Traffic Real Time Statistics | visitors-traffic-real-time-statistics |
| WP Brutal AI | wpbrutalai |
| WP Inventory Manager | wp-inventory-manager |
| WP Mail Logging | wp-mail-logging |
| WP-Members Membership Plugin | wp-members |
| WordPress Tables | wptables |
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities.
Abandoned Cart Lite for WooCommerce <= 5.14.2 - Authentication Bypass
Affected Software: Abandoned Cart Lite for WooCommerce CVE ID: CVE-2023-2986 CVSS Score: 9.8 (Critical) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/68052614-204f-4237-af0e-4b8210ebd59f>
Download Monitor <= 4.8.3 - Authenticated(Subscriber+) Arbitrary File Upload via upload_file
Affected Software: Download Monitor CVE ID: CVE Unknown CVSS Score: 8.8 (High) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/657b1b7b-eac2-4935-a50f-0849c4e96b16>
Ultimate Addons for Contact Form 7 <= 3.1.23 - Authenticated(Subscriber+) SQL Injection
Affected Software: Ultimate Addons for Contact Form 7 CVE ID: CVE-2023-1615 CVSS Score: 8.8 (High) Researcher/s: Etan Imanol Castro Aldrete Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/817ca119-ddaf-4525-beee-68c4e0aac544>
WP Brutal AI < 2.0.0 - Cross-Site Request Forgery to SQL Injection
Affected Software: WP Brutal AI CVE ID: CVE-2023-2601 CVSS Score: 8.8 (High) Researcher/s: Taurus Omar Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b4eb5833-25cd-4a6c-9240-37a9f8c1b120>
Getwid – Gutenberg Blocks <= 1.8.3 - Authenticated(Subscriber+) Server Side Request Forgery
Affected Software: Getwid – Gutenberg Blocks CVE ID: CVE-2023-1895 CVSS Score: 8.5 (High) Researcher/s: Ramuel Gall Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e9c2a942-c14c-4b59-92a7-6946b2e4731b>
Metform Elementor Contact Form Builder <= 3.3.0 - Unauthenticated CSV Injection
Affected Software: Metform Elementor Contact Form Builder – Flexible and Design-Friendly Contact Form builder plugin for WordPress CVE ID: CVE-2023-0721 CVSS Score: 8.3 (High) Researcher/s: Ramuel Gall Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ccd85a72-1872-4c4f-8ba7-7f91b0b37d4a>
GD Mail Queue <= 3.9.3 - Unauthenticated Stored Cross-Site Scripting via Email
Affected Software: GD Mail Queue CVE ID: CVE-2023-3122 CVSS Score: 7.2 (High) Researcher/s: Alex Thomas Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0b668f45-c7fb-481b-bc8e-115e5b7248c9>
WP Mail Catcher <= 2.1.2 - Unauthenticated Stored Cross-Site Scripting via Email Subject
Affected Software: Mail logging – WP Mail Catcher CVE ID: CVE-2023-3080 CVSS Score: 7.2 (High) Researcher/s: Alex Thomas Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1525e1c9-4b94-4f9f-92c5-fc69fe000771>
WP EasyCart <= 5.4.10 - Authenticated (Administrator+) SQL Injection via 'orderby'
Affected Software: Shopping Cart & eCommerce Store CVE ID: CVE-2023-3023 CVSS Score: 7.2 (High) Researcher/s: Alex Thomas Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c9c1ddaf-4bf2-4937-b7bf-a09162db043e>
Lana Email Logger <= 1.0.2 - Unauthenticated Stored Cross-Site Scripting via Email Subject
Affected Software: Lana Email Logger CVE ID: CVE-2023-3166 CVSS Score: 7.2 (High) Researcher/s: Alex Thomas Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d5f372bf-6b13-4ba7-8b8b-9d3b500e4420>
WP Mail Logging <= 1.11.1 - Unauthenticated Stored Cross-Site Scripting via Email
Affected Software: WP Mail Logging CVE ID: CVE-2023-3081 CVSS Score: 7.2 (High) Researcher/s: Alex Thomas Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ef20b3e6-d8f4-458e-b604-b46ef16e229e>
Dokan <=3.7.19 - Authenticated(Shop Manager+) PHP Object Injection via create_dummy_vendor
Affected Software: Dokan – Best WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy CVE ID: CVE Unknown CVSS Score: 6.6 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1597859c-2808-4e0f-aa8d-4e2727728e22>
Responsive CSS EDITOR <= 1.0 - Authenticated(Administrator+) SQL Injection
Affected Software: Responsive CSS EDITOR CVE ID: CVE-2023-2482 CVSS Score: 6.6 (Medium) Researcher/s: Chien Vuong Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/60ffe162-5bcd-4ffc-af45-81240751bc62>
FormCraft Premium <= 3.9.6 - Authenticated(Administrator+) SQL Injection
Affected Software: FormCraft – Contact Form Builder for WordPress CVE ID: CVE-2023-2592 CVSS Score: 6.6 (Medium) Researcher/s: Chien Vuong Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/72b4f6bb-59dd-453c-b089-4777dcefb11f>
Metform Elementor Contact Form Builder <= 3.3.1 - Authenticated (Subscriber+) Information Disclosure via mf shortcode
Affected Software: Metform Elementor Contact Form Builder – Flexible and Design-Friendly Contact Form builder plugin for WordPress CVE ID: CVE-2023-0694 CVSS Score: 6.5 (Medium) Researcher/s: Ramuel Gall Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1a8b194c-371f-4adc-98fa-8f4e47a38ee7>
Metform Elementor Contact Form Builder <= 3.3.1 - Authenticated (Subscriber+) Information Disclosure via 'mf_transaction_id' shortcode
Affected Software: Metform Elementor Contact Form Builder – Flexible and Design-Friendly Contact Form builder plugin for WordPress CVE ID: CVE-2023-0693 CVSS Score: 6.5 (Medium) Researcher/s: Ramuel Gall Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1f33a8db-7cd0-4a53-b2c1-cd5b7cd16214>
KiviCare – Clinic & Patient Management System (EHR) <= 3.2.0 - Sensitive Information Exposure
Affected Software: KiviCare – Clinic & Patient Management System (EHR) CVE ID: CVE-2023-2623 CVSS Score: 6.5 (Medium) Researcher/s: Erwan LR Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/39404341-8a27-4770-b6a6-d33e899b6bd8>
KiviCare – Clinic & Patient Management System (EHR) <= 3.2.0 - Cross-Site Request Forgery
Affected Software: KiviCare – Clinic & Patient Management System (EHR) CVE ID: CVE-2023-2628 CVSS Score: 6.5 (Medium) Researcher/s: Erwan LR Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4101c35e-5af9-4372-9ed1-fb6a15d8500f>
Metform Elementor Contact Form Builder <= 3.3.1 - Authenticated (Subscriber+) Information Disclosure via mf_thankyou shortcode
Affected Software: Metform Elementor Contact Form Builder – Flexible and Design-Friendly Contact Form builder plugin for WordPress CVE ID: CVE-2023-0688 CVSS Score: 6.5 (Medium) Researcher/s: Ramuel Gall Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/81fc41a4-9206-404c-bd5b-821c77ff3593>
Editorial Calendar <= 3.7.12 - Authenticated(Contributor+) Stored Cross-Site Scripting via edcal_saveoptions AJAX action
Affected Software: Editorial Calendar CVE ID: CVE-2022-4115 CVSS Score: 6.4 (Medium) Researcher/s: iohex Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f3dac7b6-512d-4fd6-8294-f0b1c0a2efd7>
WordPress Tables <= 1.3.9 - Reflected Cross-Site Scripting via error_msg
Affected Software: WordPress Tables CVE ID: CVE-2023-25453 CVSS Score: 6.1 (Medium) Researcher/s: Le Ngoc Anh Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/099dfb18-fc73-4a19-b017-1675c9acfa2f>
WP Brutal AI < 2.0.1 - Reflected Cross-Site Scripting
Affected Software: WP Brutal AI CVE ID: CVE-2023-2605 CVSS Score: 6.1 (Medium) Researcher/s: Taurus Omar Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d2aabec9-1968-4c0e-baed-9aa78eb236e8>
Catalyst Connect Zoho CRM Client Portal <= 2.0.0 - Reflected Cross-Site Scripting
Affected Software: Catalyst Connect Zoho CRM Client Portal CVE ID: CVE-2023-0588 CVSS Score: 6.1 (Medium) Researcher/s: Shreya Pohekar Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d63543f9-4865-444f-9a32-3b23e92b0bd4>
Metform Elementor Contact Form Builder <= 3.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via mf shortcode
Affected Software: Metform Elementor Contact Form Builder – Flexible and Design-Friendly Contact Form builder plugin for WordPress CVE ID: CVE-2023-0695 CVSS Score: 5.4 (Medium) Researcher/s: Ramuel Gall Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1c866d8d-399c-4bda-a3c9-17c7e5d2ffb8>
Metform Elementor Contact Form Builder <= 3.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via mf_last_name shortcode
Affected Software: Metform Elementor Contact Form Builder – Flexible and Design-Friendly Contact Form builder plugin for WordPress CVE ID: CVE-2023-0709 CVSS Score: 5.4 (Medium) Researcher/s: Ramuel Gall Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/25200656-a6a2-42f2-a607-26d4ff502cbf>
KiviCare – Clinic & Patient Management System (EHR) <= 3.2.0 - Missing Authorization
Affected Software: KiviCare – Clinic & Patient Management System (EHR) CVE ID: CVE-2023-2627 CVSS Score: 5.4 (Medium) Researcher/s: Erwan LR Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/88898997-6199-4b33-bd35-70a1a01812ec>
Metform Elementor Contact Form Builder <= 3.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via mf_first_name shortcode
Affected Software: Metform Elementor Contact Form Builder – Flexible and Design-Friendly Contact Form builder plugin for WordPress CVE ID: CVE-2023-0708 CVSS Score: 5.4 (Medium) Researcher/s: Ramuel Gall Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ae7549db-9a4b-4dee-8023-d7863dc3b4c8>
Gravity Forms Google Sheet Connector <= 1.3.4 - Cross-Site Request Forgery via verify_code_integation_new
Affected Software: Gravity Forms Google Sheet Connector CVE ID: CVE-2023-2326 CVSS Score: 5.4 (Medium) Researcher/s: Erwan LR Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/dea1e775-68b4-45e6-9d90-41e39d5d0dfd>
Metform Elementor Contact Form Builder <= 3.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via mf_thankyou shortcode
Affected Software: Metform Elementor Contact Form Builder – Flexible and Design-Friendly Contact Form builder plugin for WordPress CVE ID: CVE-2023-0710 CVSS Score: 4.9 (Medium) Researcher/s: Ramuel Gall Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/89a98053-33c7-4e75-87a1-0f483a990641>
Aajoda Testimonials <= 2.2.1 - Authenticated(Administrator+) Stored Cross-Site Scripting
Affected Software: Aajoda Testimonials CVE ID: CVE-2023-2178 CVSS Score: 4.4 (Medium) Researcher/s: Juampa Rodríguez Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/10f28404-acd0-40de-af42-2970b5b25bde>
Ultimate Product Catalog <= 5.2.5 - Authenticated(Administrator+) Stored Cross-Site Scripting
Affected Software: Ultimate Product Catalog CVE ID: CVE-2023-2711 CVSS Score: 4.4 (Medium) Researcher/s: Ilyase Dehy, Aymane Mazguiti Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/288559f0-eab6-4933-a026-8413476af6eb>
Social Media Share Buttons & Social Sharing Icons <= 2.8.1 - Authenticated(Administrator+) Stored Cross-Site Scripting
Affected Software: Social Media Share Buttons & Social Sharing Icons CVE ID: CVE-2023-1166 CVSS Score: 4.4 (Medium) Researcher/s: Mohamed Selim Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3cf2013a-d403-456f-aeb4-46b6e00b057f>
PowerPress <= 10.2.3 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Feed[title]'
Affected Software: PowerPress Podcasting plugin by Blubrry CVE ID: CVE Unknown CVSS Score: 4.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/64371d43-3acd-4863-80e4-deab071777b9>
FiboSearch - AJAX Search for WooCommerce <= 1.23.0 - Authenticated (Admin+) Stored Cross-Site Scripting
Affected Software: FiboSearch – Ajax Search for WooCommerce CVE ID: CVE-2023-2450 CVSS Score: 4.4 (Medium) Researcher/s: Ivan Kuzymchak Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/880573d8-6dad-4a1b-a5db-33e1dc243062>
CodeColorer <= 0.10.0 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: CodeColorer CVE ID: CVE-2023-2795 CVSS Score: 4.4 (Medium) Researcher/s: Ilyase Dehy Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c78ec44e-c3e4-410e-9937-46657664d6cb>
Download Monitor <= 4.7.60 - Missing Authorization to Authenticated Data Export
Affected Software: Download Monitor CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2d58f34b-5bd7-4be6-a7ce-b0769bec9aad>
Getwid – Gutenberg Blocks <= 1.8.3 - Improper Authorization via get_remote_templates REST endpoint
Affected Software: Getwid – Gutenberg Blocks CVE ID: CVE-2023-1910 CVSS Score: 4.3 (Medium) Researcher/s: Ramuel Gall Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6cd64ab0-007b-4778-9d92-06e530638fad>
Metform Elementor Contact Form Builder <= 3.3.1 - Authenticated (Subscriber+) Information Disclosure via mf_last_name shortcode
Affected Software: Metform Elementor Contact Form Builder – Flexible and Design-Friendly Contact Form builder plugin for WordPress CVE ID: CVE-2023-0691 CVSS Score: 4.3 (Medium) Researcher/s: Ramuel Gall Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8fc4b815-dc05-4270-bf7a-3b01622739d7>
Elementor Addons, Widgets and Enhancements – Stax <= 1.4.3 - Missing Authorization in toggle_widget
Affected Software: Elementor Addons, Widgets and Enhancements – Stax CVE ID: CVE-2023-2189 CVSS Score: 4.3 (Medium) Researcher/s: Alex Thomas Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/926550bb-265d-4811-a375-10c47e9fb4d6>
WP-Members Membership <= 3.4.7.3 - Missing Authorization to Settings Update
Affected Software: WP-Members Membership Plugin CVE ID: CVE-2023-2869 CVSS Score: 4.3 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/bf05a79a-0375-4c9d-bbf0-a87484327b87>
Elementor Addons, Widgets and Enhancements – Stax <= 1.4.3 - Cross-Site Request Forgery via toggle_widget
Affected Software: Elementor Addons, Widgets and Enhancements – Stax CVE ID: CVE-2023-1807 CVSS Score: 4.3 (Medium) Researcher/s: Alex Thomas Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c12094bd-aa23-4f9b-92e1-d1d4284fb2a0>
Visitor Traffic Real Time Statistics <= 6.7 - Missing Authorization to Information Disclosure
Affected Software: Visitor Traffic Real Time Statistics CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c7ab5a00-ce1c-4d74-9192-c9834e2d702d>
WP Inventory Manager <= 2.1.0.13 - Cross-Site Request Forgery via delete_item
Affected Software: WP Inventory Manager CVE ID: CVE-2023-2842 CVSS Score: 4.3 (Medium) Researcher/s: NGO VAN TU Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d51f0230-b85c-4c2d-9fa0-e68b52e51c76>
Metform Elementor Contact Form Builder <= 3.3.1 - Authenticated (Subscriber+) Information Disclosure via 'mf_payment_status' shortcode
Affected Software: Metform Elementor Contact Form Builder – Flexible and Design-Friendly Contact Form builder plugin for WordPress CVE ID: CVE-2023-0692 CVSS Score: 4.3 (Medium) Researcher/s: Ramuel Gall Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ddd85ff2-6607-4ac8-b91c-88f6f2fa6c56>
Easy Digital Downloads <= 3.1.1.4.2 - Cross-Site Request Forgery via edd_trigger_upgrades
Affected Software: Easy Digital Downloads – Simple eCommerce for Selling Digital Files CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e3adcb85-efc5-429c-8a06-9bfb472d668f>
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
The post Wordfence Intelligence Weekly WordPress Vulnerability Report (June 5, 2023 to June 11, 2023) appeared first on Wordfence.
Related
